RadioGatún

RadioGatún

General
Designers	Guido Bertoni Joan Daemen Michaël Peeters Gilles Van Assche
First published	August 2006
Derived from	Panama
Successors	Keccak (SHA-3)
Cipher detail
Block sizes	19 words in mill; 39 words in belt
Best public cryptanalysis
Fuhr/Peyrin 2008, 211w (352/704 bits) complexity

RadioGatún is a cryptographic hash primitive created by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. It was first publicly presented at the NIST Second Cryptographic Hash Workshop, held in Santa Barbara, California, on August 24–25, 2006, as part of the NIST hash function competition. The same team that developed RadioGatún went on to make considerable revisions to this cryptographic primitive, leading to the Keccak SHA-3 algorithm.^[1]

RadioGatún is a family of 64 different hash functions, distinguished by a single parameter, the word width in bits (w), adjustable between 1 and 64. The only word sizes with official test vectors are the 32-bit and 64-bit variants of RadioGatún. The algorithm uses 58 words, each using w bits, to store its internal state, so the 32-bit version needs 232 bytes to store its state (since each word needs 32 bits or four bytes, and 58 multiplied by four is 232) and the 64-bit version 464 bytes (each word using eight bytes).

Although RadioGatún is a derivative of Panama, a stream cipher and hash construction from the late 1990s whose hash construction has been broken, RadioGatún does not have Panama's weaknesses when used as a hash function. As of 2022, RadioGatún is still a secure hash function;^[2][3][4][5] the largest version of RadioGatún that is broken is the one with a word size of two bits. RadioGatún has a claimed security strength of 304 bits for the 32-bit version and 608 bits for the 64-bit version. The best known cryptanalysis has not broken this claim: It needs 352 bits of work for the 32-bit version and 704 bits of work for the 64-bit version.

RadioGatún can be used either as a hash function or a stream cipher; it can output an arbitrarily long stream of pseudo-random numbers; this kind of hash construction is now known as an "extendable-output function" (XOF).^[6]

Claimed strength

The algorithm's designers, in the original RadioGatún paper, claimed that the first 19 × w bits (where w is the word width used) of RadioGatún's output is a cryptographically secure hash function.^[7]

Since publishing the paper, the designers revised their security claim, and now claim that RadioGatún has the security of a cryptographic sponge function with a capacity of 19w.^[8] This means that the 32-bit version of RadioGatún can be used to make a hash with 304 bits of security (both from collision attacks and from Preimage attacks), and the 64-bit version offers 608 bits of security.

Implementation details

The designers call RadioGatún an "ideal mangling function". RadioGatún uses a "belt" and "mill" to cryptographically process binary data, with the majority of mangling operations performed on the "mill" part of RadioGatún.^[9]

Keccak removed the belt, increased the size of the mill from 19 words to 25 words, and made the mill function somewhat more complicated.^[10]

The core belt function looks like this:

(A,B) = R(a,b)
for row = 0 to 2 do
    for all i do 
        B[i, row] = b[i + 1 mod 13, row]
    end for
end for {Belt function: simple rotation}
for i = 0 to 11 do
    B[i + 1, i mod 3] = B[i + 1, i mod 3] ⊕ a[i + 1]
end for {Mill to belt feedforward}
A = Mill(a) {Mill function}
b = B
for i = 0 to 2 do
    A[i + 13] = A[i + 13] ⊕ b[12, i]
end for {Belt to mill feedforward}

And the mill function Mill(A) looks like this:

{all indices should be taken modulo 19,
x ≫ y denotes bitwise rotation (rotate x right y bits)
x ⊕ y denotes exclusive or
x |~ y denotes performing a bitwise or between x and the bitwise negation of y}
for all i do
    A[i] = a[i] ⊕ (a[i + 1]|~a[i + 2])
end for {γ: non-linearity}
for all i do
    a[i] = A[7i] ≫ i(i + 1)/2
end for {π: intra-word and inter-word dispersion}
for all i do
    A[i] = a[i] ⊕ a[i + 1] ⊕ a[i + 4]
end for {θ: diffusion}
A[0] = A[0] ⊕ 1 {ι: asymmetry}

The Wikibooks page on RadioGatún provides full implementation details, and Module:RadioGatun32 is an implementation of the 32-bit version of RadioGatún.

Cryptanalysis

In the paper "Two attacks on RadioGatún", Dmitry Khovratovich presents two attacks that do not break the designers' security claims, one with a complexity of 2^18w and another with a complexity of 2^23.1w.^[11] Khovratovich also authored a paper, entitled "Cryptanalysis of hash functions with structures", which describes an attack with a complexity of 2^18w.^[12]

In the paper "Analysis of the Collision Resistance of RadioGatún using Algebraic Techniques", Charles Bouillaguet and Pierre-Alain Fouque present a way of generating collisions with the 1-bit version of the algorithm using an attack that needs 2^24.5 operations.^[13] The attack can not be extended to larger versions since "all the possible trails we knew for the 1-bit version turned out to be impossible to extend to n-bit versions." This attack is less effective than the other attacks and also does not break RadioGatún's security claim.

The most effective attack against the algorithm, one with a complexity of 2^11w, is given in the paper "Cryptanalysis of RadioGatun" by Thomas Fuhr and Thomas Peyrin. In the paper, they break the 2-bit (word size of two) version of RadioGatún.^[14] While more effective than the other attacks, this attack still does not break the security claim.

The developers of RadioGatún have stated that their "own experiments did not inspire confidence in RadioGatún".^[15]

Test vectors

The only RadioGatún variants that the designers supplied test vectors (published hash values for sample inputs so programmers can verify they are correctly implementing the algorithm) for are the 32-bit and 64-bit versions.

RadioGatún[32]

These test vectors, generated using the 32-bit version of RadioGatún, only show the first 256 bits of RadioGatún[32]'s arbitrarily long output stream:

RadioGatun[32]("") =
F30028B54AFAB6B3E55355D277711109A19BEDA7091067E9A492FB5ED9F20117

RadioGatun[32]("The quick brown fox jumps over the lazy dog") =
191589005FEC1F2A248F96A16E9553BF38D0AEE1648FFA036655CE29C2E229AE

RadioGatun[32]("The quick brown fox jumps over the lazy cog") =
EBDC1C8DCD54DEB47EEEFC33CA0809AD23CD9FFC0B5254BE0FDABB713477F2BD

RadioGatún[64]

Here are hashes for the 64-bit version:

RadioGatun[64]("") =
64A9A7FA139905B57BDAB35D33AA216370D5EAE13E77BFCDD85513408311A584

RadioGatun[64]("The quick brown fox jumps over the lazy dog") = 
6219FB8DAD92EBE5B2F7D18318F8DA13CECBF13289D79F5ABF4D253C6904C807

RadioGatun[64]("The quick brown fox jumps over the lazy cog") = 
C06265CAC961EA74912695EBF20F1C256A338BC0E980853A3EEF188D4B06FCE5

References

1. Bertoni, Guido; Daemen, Joan; Peeters, Michaël; Van Assche, Gilles (2009). "The Road from Panama to Keccak via RadioGatún". Dagstuhl Seminar Proceedings (DagSemProc). 9031: 1–9. doi:10.4230/DagSemProc.09031.17. Retrieved 2009-10-20. {{cite journal}}: Cite journal requires |journal= (help)
2. Sadeghi-Nasab, Alireza; Rafe, Vahid (2022). "A comprehensive review of the security flaws of hashing algorithms" (PDF). Journal of Computer Virology and Hacking Techniques. 19 (2): 287–302. doi:10.1007/s11416-022-00447-w. S2CID 253033894. RadioGatún continues to be a safe hash function
3. Kishore, Neha; Raina, Priya (2019). "Parallel cryptographic hashing: Developments in the last 25 years". Cryptologia. 43 (6): 504–535. doi:10.1080/01611194.2019.1609130. S2CID 201884222. RadioGatún (Bertoni et al.2006) is still secure
4. Thomas Pornin (2011-04-03). "Need suggestion for faster Linux fingerprint/hash comparison". Among those I cite, the Radiogatun and Shabal functions are currently unbroken.
5. Zooko Wilcox (2017-02-24). "Lessons From The History Of Attacks On Secure Hash Functions". Retrieved 2018-06-28. no new secure hash functions (designed after approximately the year 2000) have so far succumbed to collision attacks, either.
6. "Archived copy" (PDF). Archived from the original (PDF) on 2017-01-31. Retrieved 2017-07-17.
7. Page 9 (Section 6) of "RadioGatún, a belt-and-mill hash function" states that "RadioGatún [lw] offers a security level indicated by a capacity c = 19 * w. For the 64-bit version RadioGatún this is a capacity of 1216 bits, for the 32-bit version and 16-bit version this gives 608 and 304 bits respectively."
8. http://radiogatun.noekeon.org/ "We now prefer to express the security claim for RadioGatún as a flat sponge claim with capacity 19w"
9. "RadioGatún, a belt-and-mill hash function" (PDF). 2006-07-20.
10. "The road from Panama to Keccak via RadioGatún" (PDF). S2CID 2222603. Archived from the original (PDF) on 2018-08-05. For Keccak, we have therefore decided to remove the belt and instead increase the number of words in the mill
11. Khovratovich, Dmitry (2008). "Two Attacks on RadioGatún" (PDF). Progress in Cryptology - INDOCRYPT 2008. Lecture Notes in Computer Science. Vol. 5365. pp. 53–66. doi:10.1007/978-3-540-89754-5_5. ISBN 978-3-540-89753-8. S2CID 6487398. Archived from the original (PDF) on 2018-08-07.
12. https://www.cryptolux.org/images/7/79/Struct.pdf ^{[bare URL PDF]}
13. Bouillaguet, Charles; Fouque, Pierre-Alain (2009). "Analysis of the Collision Resistance of Radio Gatún Using Algebraic Techniques". Selected Areas in Cryptography. Lecture Notes in Computer Science. Vol. 5381. pp. 245–261. doi:10.1007/978-3-642-04159-4_16. ISBN 978-3-642-04158-7.
14. Fuhr, Thomas; Peyrin, Thomas (2008). "Cryptanalysis of RadioGatun". Cryptology ePrint Archive.
15. "Keccak and the SHA-3 Standardization" (PDF).

External links

• The RadioGatún Hash Function Family, RadioGatún's official web page, with the hash's official description, public domain reference code, and test vectors
• rg32hash, an independent public-domain implementation of the 32-bit version of RadioGatún